Asked by:

Suspicious Powershell Activity

Question

We've found a powershell process that recently has started launching when a user logs in, and it appears to be communicating with an outside IP address - not associated with our company at all. I haven't been able to find the source for this besides
two entries in the registry that keep reappearing.

what do you mean "where this may be downloading the scripts"?
It is run via the registry key you found, which you should delete.
It is downloading from the ip address 45.56.75.185.
The original vector/dropper might have been via browser or email.

I for myself would nuke from orbit ( = reinstall Windows), but you could contact someone at bleepingcomputer.com

So mystery is somewhat solved. I traced it down to a powershell command that was placed in our default domain group policy. I removed this entry and it seems to be slowing removing itself from the network.

The next thing to figure out now is where this came from. There are only three people at our company with the domain password and none of us put that there.

The task that was running in the group policy, said it was created by domain\administrator so we are a bit perplexed over this one. Any ideas on how to trace this part of it?